pandastealer | d96df1051e62aa40baefd51235be45f8038745582a5d3428b63123fd2ced60db

Analysis

max time kernel
47s
max time network
37s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

geek.exe
Size

6.7MB
MD5

ef78997488e6121971404a3f25686fee
SHA1

53a260990106e5271cb525f87be008e299beaa85
SHA256

d96df1051e62aa40baefd51235be45f8038745582a5d3428b63123fd2ced60db
SHA512

8a021950ae41a76659cacdba57d4a090b839dc9a39866b1ca3b6efc533d2542cdb40dbf5004c58d1793329a60126052d7372b0b3d4e9165cfa48938f0e77e573
SSDEEP

98304:jo2mCHer41qIJVUR0LRn2ufOFL//bHAKYmg77UQ1mfa/ews4VOp9mD:U4wIY0LRnHfq37g7oQcfa/ewsWOpsD

Score

10^/10

pandastealer discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Panda Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/1336-3637-0x0000000010000000-0x00000000108D0000-memory.dmp	family_pandastealer
behavioral1/memory/2664-3662-0x0000000010000000-0x00000000108D0000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\WebKit.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\sentinel	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.msi	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Thawte Root Certificate.cer	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\digest.s	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\NPSWF32.dll	msiexec.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST	geek64.exe
File created	C:\Windows\Installer\f772fe8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3054.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f772fe8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	geek64.exe

Executes dropped EXE 3 IoCs

pid	Process
1756	geek64.exe
1272	Process not Found
2636	Uninst.exe

Loads dropped DLL 3 IoCs

pid	Process
2580	geek.exe
2988	Uninstall.exe
1272	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 8 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	geek64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	geek64.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\NetSh	geek64.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	geek64.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	geek64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	geek64.exe
Key opened	\REGISTRY\MACHINE\Software\Microsoft\NetSh	geek64.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	geek64.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe air updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uninst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Updater.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Updater.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	adobe air updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	adobe air updater.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8663020007180A44EB446B23AFD487F0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5D029AD8C14C0E24FB1378AB9489E44E	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.air\OpenWithProgids	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.air	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8663020007180A44EB446B23AFD487F0\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AIR.InstallerPackage\shell\open\command	msiexec.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1756	geek64.exe
1756	geek64.exe
3928	msiexec.exe
3928	msiexec.exe
3928	msiexec.exe
3928	msiexec.exe
3928	msiexec.exe
3928	msiexec.exe
3928	msiexec.exe
3928	msiexec.exe
3928	msiexec.exe
3928	msiexec.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1756	geek64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	geek64.exe
Token: SeDebugPrivilege	1756	geek64.exe
Token: SeDebugPrivilege	1756	geek64.exe
Token: SeDebugPrivilege	1756	geek64.exe
Token: SeShutdownPrivilege	1336	adobe air updater.exe
Token: SeIncreaseQuotaPrivilege	1336	adobe air updater.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeSecurityPrivilege	3928	msiexec.exe
Token: SeCreateTokenPrivilege	1336	adobe air updater.exe
Token: SeAssignPrimaryTokenPrivilege	1336	adobe air updater.exe
Token: SeLockMemoryPrivilege	1336	adobe air updater.exe
Token: SeIncreaseQuotaPrivilege	1336	adobe air updater.exe
Token: SeMachineAccountPrivilege	1336	adobe air updater.exe
Token: SeTcbPrivilege	1336	adobe air updater.exe
Token: SeSecurityPrivilege	1336	adobe air updater.exe
Token: SeTakeOwnershipPrivilege	1336	adobe air updater.exe
Token: SeLoadDriverPrivilege	1336	adobe air updater.exe
Token: SeSystemProfilePrivilege	1336	adobe air updater.exe
Token: SeSystemtimePrivilege	1336	adobe air updater.exe
Token: SeProfSingleProcessPrivilege	1336	adobe air updater.exe
Token: SeIncBasePriorityPrivilege	1336	adobe air updater.exe
Token: SeCreatePagefilePrivilege	1336	adobe air updater.exe
Token: SeCreatePermanentPrivilege	1336	adobe air updater.exe
Token: SeBackupPrivilege	1336	adobe air updater.exe
Token: SeRestorePrivilege	1336	adobe air updater.exe
Token: SeShutdownPrivilege	1336	adobe air updater.exe
Token: SeDebugPrivilege	1336	adobe air updater.exe
Token: SeAuditPrivilege	1336	adobe air updater.exe
Token: SeSystemEnvironmentPrivilege	1336	adobe air updater.exe
Token: SeChangeNotifyPrivilege	1336	adobe air updater.exe
Token: SeRemoteShutdownPrivilege	1336	adobe air updater.exe
Token: SeUndockPrivilege	1336	adobe air updater.exe
Token: SeSyncAgentPrivilege	1336	adobe air updater.exe
Token: SeEnableDelegationPrivilege	1336	adobe air updater.exe
Token: SeManageVolumePrivilege	1336	adobe air updater.exe
Token: SeImpersonatePrivilege	1336	adobe air updater.exe
Token: SeCreateGlobalPrivilege	1336	adobe air updater.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe
Token: SeRestorePrivilege	3928	msiexec.exe
Token: SeTakeOwnershipPrivilege	3928	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1756	geek64.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2580	geek.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe
1756	geek64.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1756	2580	geek.exe	30
PID 2580 wrote to memory of 1756	2580	geek.exe	30
PID 2580 wrote to memory of 1756	2580	geek.exe	30
PID 2580 wrote to memory of 1756	2580	geek.exe	30
PID 1756 wrote to memory of 2988	1756	geek64.exe	33
PID 1756 wrote to memory of 2988	1756	geek64.exe	33
PID 1756 wrote to memory of 2988	1756	geek64.exe	33
PID 1756 wrote to memory of 2988	1756	geek64.exe	33
PID 1756 wrote to memory of 2988	1756	geek64.exe	33
PID 1756 wrote to memory of 2988	1756	geek64.exe	33
PID 1756 wrote to memory of 2988	1756	geek64.exe	33
PID 2988 wrote to memory of 2636	2988	Uninstall.exe	34
PID 2988 wrote to memory of 2636	2988	Uninstall.exe	34
PID 2988 wrote to memory of 2636	2988	Uninstall.exe	34
PID 2988 wrote to memory of 2636	2988	Uninstall.exe	34
PID 2988 wrote to memory of 2636	2988	Uninstall.exe	34
PID 2988 wrote to memory of 2636	2988	Uninstall.exe	34
PID 2988 wrote to memory of 2636	2988	Uninstall.exe	34
PID 1756 wrote to memory of 2664	1756	geek64.exe	35
PID 1756 wrote to memory of 2664	1756	geek64.exe	35
PID 1756 wrote to memory of 2664	1756	geek64.exe	35
PID 1756 wrote to memory of 2664	1756	geek64.exe	35
PID 1756 wrote to memory of 2664	1756	geek64.exe	35
PID 1756 wrote to memory of 2664	1756	geek64.exe	35
PID 1756 wrote to memory of 2664	1756	geek64.exe	35
PID 2664 wrote to memory of 1336	2664	Adobe AIR Updater.exe	36
PID 2664 wrote to memory of 1336	2664	Adobe AIR Updater.exe	36
PID 2664 wrote to memory of 1336	2664	Adobe AIR Updater.exe	36
PID 2664 wrote to memory of 1336	2664	Adobe AIR Updater.exe	36
PID 2664 wrote to memory of 1336	2664	Adobe AIR Updater.exe	36
PID 2664 wrote to memory of 1336	2664	Adobe AIR Updater.exe	36
PID 2664 wrote to memory of 1336	2664	Adobe AIR Updater.exe	36

C:\Users\Admin\AppData\Local\Temp\geek.exe
"C:\Users\Admin\AppData\Local\Temp\geek.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\geek64.exe
  C:\Users\Admin\AppData\Local\Temp\geek64.exe
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Event Triggered Execution: Netsh Helper DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Program Files\7-Zip\Uninstall.exe
    "C:\Program Files\7-Zip\Uninstall.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\7z6DDBDBAC\Uninst.exe
      C:\Users\Admin\AppData\Local\Temp\7z6DDBDBAC\Uninst.exe /N /D="C:\Program Files\7-Zip\"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2636
- - C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe
    "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe" -arp:uninstall
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\program files (x86)\common files\adobe air\versions\1.0\adobe air updater.exe
      "C:\program files (x86)\common files\adobe air\versions\1.0\adobe air updater.exe" -stdio \\.\pipe\AIR_2664_0 -uninstall
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:1336
- - C:\Windows\system32\regsvr32.exe
    regsvr32.exe /s /u "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
    3⤵
    PID:572
- - C:\Windows\system32\regsvr32.exe
    regsvr32.exe /s /u "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
    3⤵
    PID:600
- - C:\Windows\system32\regsvr32.exe
    regsvr32.exe /s /u "C:\Program Files\Mozilla Firefox\IA2Marshal.dll"
    3⤵
    PID:1100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f772fe9.rbs

Filesize
14KB

MD5
8ccfb1cfa0928854b775996c10262c90

SHA1
3634cfed0d2accd0998860e59f0a21d55ea10041

SHA256
a5a47194687bea0bbbde21bdf93d095902854ead6fd56c7fc3ce7efd9d309287

SHA512
c0b1fe34d6725b077df19d74370dbcf9233d71e3dbfcf64f610527d76495ce7a123cb06b7f48c91405d8e04b4a41e7a72867a4df8c1a71800b7fbcddd66a18ab

Download Submit
C:\Users\Admin\AppData\Roaming\Geek Uninstaller\prefs.xml

Filesize
578B

MD5
7d48f091346d1531b7b1e660eb1d0e8a

SHA1
4bd2b25bee973c5b9f0ccc13c34b3c9db72f3296

SHA256
e203f5a975a66a78a4c618ea70ba72e2be750c30f0abb66adf8ae7e5a3c2d0fe

SHA512
54efe8165ce687004817be129ee82d2c050318f6a6caa77d6e80dcee1e1784b5c49e415b01d9e3f4aa0deef03961d1fcca653421cf56c9f28ef6aeda18d78e6b

Download Submit
\Program Files\Mozilla Firefox\AccessibleHandler.dll

Filesize
179KB

MD5
650e92170be6d72b5b03b4fd57d9c768

SHA1
96afb8675e8d0ddeda7e5188182d2f7bcfc33ae4

SHA256
1f82976a2d2dfb39ecb4aef21390151d6407c4b76f8401e86b6162920c17e622

SHA512
9ba4d29a8557a50e972a77edbc72c05ffe62fca5b238c68ec7325932b554d10a3feacd5ef3a4a004feff41c5d956d2a78ac98cc2688b3a83ebd35e7c9d1d6b2b

Download Submit
\Program Files\Mozilla Firefox\AccessibleMarshal.dll

Filesize
32KB

MD5
603790c20a3c54910d57a264b9570251

SHA1
cc116b933d2765ac44d268202e342132ec30b8a4

SHA256
682a1749e7de1f422f7bef98b726e419eabaf7f5c06d89d75626e51a12729b8d

SHA512
d9807ac77d3df4ed0b3f1be2923f8b61794c37b7bb759c9c5b1ed80c2c629b0ce0c7f8607e98ed4628d3143d8fdcffe7d994e670ac08a55db4934461af8c205a

Download Submit
\Program Files\Mozilla Firefox\IA2Marshal.dll

Filesize
82KB

MD5
f309a1b32cbb2b87db1504174fa36b8d

SHA1
5c3096985b95f2d69153cdb3666d5f18629da03b

SHA256
ad868b5352811dc328c4e75b2898d45c75c5af8d3b0ac062810d95847a99e0bc

SHA512
a493a111cce1de0ea9d9999a7e1773334a1fc7b7e71115e60b22d0c1b52e439d889865051c6487665d2638705a676f8600653059dc120d9bdb87d8a81b737112

Download Submit
\Users\Admin\AppData\Local\Temp\7z6DDBDBAC\Uninst.exe

Filesize
14KB

MD5
ad782ffac62e14e2269bf1379bccbaae

SHA1
9539773b550e902a35764574a2be2d05bc0d8afc

SHA256
1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8

SHA512
a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

Download Submit
\Users\Admin\AppData\Local\Temp\geek64.exe

Filesize
3.7MB

MD5
c84a3c776bf83d55f901288db3b8b8a0

SHA1
515df2a9fb35beef25d070b688d692646f0a1c8f

SHA256
b8d968872fe7ed8de7eeb89ff6e1ce2029521f7c744c088ae2c4807b396d28ae

SHA512
e471e4ffa1511b5239474577eda92ccb98918eb1633284af20ed80a3cd8366dc4b3ecbe2482b9325e6c543b1acf07731973290265b0ac3c94ea6c436b12e9064

Download Submit
memory/1336-3636-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1336-3637-0x0000000010000000-0x00000000108D0000-memory.dmp

Filesize
8.8MB

Download
memory/2664-3662-0x0000000010000000-0x00000000108D0000-memory.dmp

Filesize
8.8MB

Download